| Welcome to the Zimbra - Forums! | |
Welcome, if you would like to post a comment please register.
We also encourage you to explore all things Zimbra with our team and members of the community.
|
 | 
11-14-2005, 08:45 AM
| | |  Commercial SSL Certificates and IMAP/POP
I bought a commercial SSL certificate to use with my Zimbra install, and though I found it very straightforward to get it working with SMTP and Tomcat, I am struggling to get it working with my IMAP / POP daemons.
It was easy with Postfix/Tomcat because the procedures are widely documented, but since Zimbra uses home-grown IMAP/POP daemons, I have had trouble figuring it out.
Also, my server name is say server1.domain.com and my certificate is secure.domain.com (both pointing to the same IP). This seems to work fine with Tomcat and SMTP, but IMAPs AND POP3s are not even running (I'm assuming this because ports 993 and 995 are not listening on my box, while 110 and 143 are). And yes, SSL is turned on for both services in the admin tool.
Advice?
Thanks,
bp |
11-14-2005, 10:59 AM
| | Zimbra Employee | |
Posts: 4,784
| |
Our POP/IMAP are not seperate daemons. They are native in our tomcat webapp along with the SOAP service. Actually makes it very nice since IMAP/POP/SOAP can all share the same caches and will never get out of sync. So no matter what client AJAX, Outlook, Thunderbird, Treo, etc connects they will all see the same data and changes right away. Just thouhgt I'd mention that to clear up an misconceptions.
So to install a real cert the commands are here: certs
Just need to reference your cert rather than the self-signed ones we create. |
11-14-2005, 02:37 PM
| | |
Kevin-
Thanks for getting back to me. If I look at the zmcertinstall script, it does the following:
cp -f $CERTFILE ${CONF}/smtpd.crt
cp -f $KEYFILE ${CONF}/smtpd.key
I have replaced those files as such:
smtpd.crt is my certificate chain (root, intermediate, site)
smtpd.key is the private key for the site certificate
IMAPs and POPs are still not starting.
TLS works fine for SMTP.
Again, my server name is server1.domain.com and my certificate is for secure.domain.com Tomcat and smtp don't seem to mind; will POP/IMAP?
bp |
11-14-2005, 03:59 PM
| | Zimbra Employee | |
Posts: 4,784
| |
IMAP/POP is running under tomcat. so not sure what you've ssl'd in tomcat. do you mean the webclient like https? Did you run zmcertinstall with the 'mailbox' attr which will send this over to tomcat the way Zimbra expects? |
11-14-2005, 11:09 PM
| | |
Kevin-
I found the problem. Since you can't import private keys to a keystore using keytool, I built my private key and my CSR on a new store.
When I was building this store/private key, I used the default tomcat password "changeit" instead of zimbra.
When I found out that zimbra's tomcat setup was using "zimbra" as the keystore password, I changed the setting in server.xml rather than change the password on my keystore/private key. This proved to be the problem, as it appears the imap/pop apps access the keystore directly, and I imagine they are hard coded to use the keystore password zimbra.
Everything works fine after changing the keypass and the storepass to zimbra.
bp |
11-15-2005, 09:51 AM
| | Zimbra Employee | |
Posts: 2,073
| | hardcoded
It is indeed hardcoded - this is something we need to address.
WRT to the private key issue - keytool won't allow you to import or export private keys, which is a real pain - since postfix wants the private key available in a separate file, as does ldap (for ldaps).
There are a few 3rd party apps out there that will allow you to do this import/export, though I didn't find any free products. Google will help you out, if this becomes necessary. |
11-15-2005, 01:06 PM
| | |
Here is a little java app that does it:
import java.io.FileInputStream;
import java.security.KeyStore;
import java.security.Key;
public class DumpPrivateKey {
static public void main(String[] args) {
try {
KeyStore ks = KeyStore.getInstance("jks");
ks.load(new FileInputStream("tomcat.keystore"),
"changeit".toCharArray());
Key key = ks.getKey("tomcat",
"changeit".toCharArray());
System.out.write(key.getEncoded());
} catch (Exception e) {
e.printStackTrace();
}
}
} |
11-15-2005, 01:22 PM
| | Zimbra Employee | |
Posts: 2,073
| | Thanks!
I'll give that a shot |
10-27-2007, 05:43 PM
| | | POSTFIX Is Misbehaving with Commecial Certificate
Hi there.
I recently bought a certificate for the tld of our domain.
I followed the instructions on the Wiki pages and forum to deploy, and all is well with tomcat.
However, everytime I start the MTA, it attempts to start postfix and then prompts me for a password. I press enter and it doesn't complain, but zmcontrol status will also request for password when it gets to mta.
nmap shows that the 25/465 ports are fine, but I am told postfix isn't running.
Finally, I can't send mail now that I've replaced the SelfCerts, if I enable either SSL or TLS.
This is a public email server and I could do with some swift guidance.
Regards
Tunji | | Thread Tools | | | | Display Modes |  Linear Mode | | Why Join? Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.   |
Bugzilla
Wiki
Source
